Stanford University

Cybersecurity

An outcome-based analysis of US cyber strategy of persistence and defense forward

Authors
Max Smeets
Herbert Lin
News Type
Commentary
Date
Paragraphs

This piece originally appeared at Lawfare.

U.S. Army Cyber Command (Source: U.S. Army)
 

The new U.S. Cyber Command (USCYBERCOM) vision and the Department of Defense Cyber Strategy embody a fundamental reorientation in strategic thinking.

With the publication of these documents, as well as 2017 National Security Strategy and the 2018 National Defense Strategy, there is a general conception among expertsthat the U.S. has, for the first time, articulated a strategy that truly appreciates the unique “symptoms” of cyberspace. The documents recognize that there is a new structural set of dynamics associated with the new domain of cyberspace that has incentivized a new approach to power competition—in particular, that hostile or adversarial behavior below the threshold of armed attack could nevertheless be strategically meaningful (that is, change the balance of power).

Yet most cyber experts have also argued that the ‘medicine’ prescribed by the Defense Department  and USCYBERCOM should be further scrutinized. Indeed, the side effects of the strategy of “persistent engagement” and “defense forward” are still ill-understood. As we have argued elsewhere, a United States that is more powerful in cyberspace does not necessarily mean one that is more stable or secure. More research is required to better understand adversarial adaptive capacity and escalation dynamics.

We should note that the Department of Defense lexicon has not yet provided a formal definition of “defending forward.” We suspect the formal definition that is ultimately adopted will be similar to the earlier concept of “counter cyber,” though with an emphasis on adversarial cyber campaigns (instead of ‘activities’): “A mission that integrates offensive and defensive operations to attain and maintain a desired degree of cyberspace superiority. Counter-cyber missions are designed to disrupt, negate, and/or destroy adversarial cyberspace activities and capabilities, both before and after their employment.”

Scholarship to date has mainly pointed out that this new U.S. strategic thinking could be escalatory, but it has not sought to spell out the specific causal mechanisms and scenarios as to how the consequences of the strategic shift may unfold.

In a forthcoming article, part of an edited volume on offensive cyber operations published by the Brookings Institution (entitled “Bytes, Bombs, and Spies: Strategic Dimensions of Offensive Cyber Operations”), we systematically address some of these conflict outcomes. Specifically, we consider the four general outcomes possible over time with two outcome variables: a more (or less) powerful U.S. and a more (or less) stable cyberspace.

 

 

 U.S. power relative to adversaries

 

 

More

Less

Stability

More

More powerful & More stability

Less Powerful & More stability

Less

More powerful & less stability

Less powerful & less stability

 

The Optimal Outcome

From the U.S. standpoint, the optimal outcome is a United States that is more powerful in cyberspace along with a more stable cyberspace. Indeed, from the U.S. standpoint, the former will lead to the latter. A more stable cyberspace will involve norms of acceptable behavior, less conflict and so on.

One path towards this rosy outcome is that the strategy does what it is said to do: Creates significant friction and makes it hard for adversaries to operate effectively. Adversaries realize that the U.S. strategy of persistent engagement makes it more difficult to conduct various offensive cyber operations, and they have no strong incentives to escalate as it may trigger a U.S. response in the conventional domain. USCYBERCOM has the advantage from the beginning.

Some argued at the first USCYBERCOM symposium that persistent engagement may first lead to a worsening situation before it gets better. This outcome is possible under one of two conditions. First, USCYBERCOM could initially be unable to seize the initiative from a capacity perspective, but become increasingly better at it in the future. This may well be true: USCYBERCOM is still continuing to develop its cyber capacity. Even though the Cyber Mission Force (CMF) has achieved full operational capability, it will take time for the new workforce to operate capably and ensure the effective coordination of all units.

The second condition is that other actors could increase their hostile cyber activity in the short term, but become less hostile in the long run. This condition is much less likely to be true: Other actors are likely to adapt to U.S. activities over time rather than to reduce their own activities, and the expected number of actors with hostile intent in this space is likely to increase over time.  For example, FireEye recently reported on the “rise of the rest,” arguing that the world has seen a growing number of advanced persistent threat (APT) groups attributed to countries other than Russia or China.

Another more powerful and more stable situation analyzed in the paper could—perhaps paradoxically—be described as “deterrence through a strategy of persistence.”  In this particular outcome, the main threat actors are initially cautious to act, following the release of U.S. new strategy. However,  this is unlikely: Other actors will probably not exhibit caution to see which way the wind blows before acting. An excerpt from Lt. Gen. Nakasone’s nomination hearing to serve as director of the NSA is telling:

            Sen. Sullivan: They [our adversaries] don’t fear us.

            Gen.Nakasone: They don’t fear us.

            Sen. Sullivan: So, is that good?

            Gen. Nakasone: It is not good, Senator.

As a follow-up to Sen. Dan Sullivan’s question, Sen. Ben Sasse asked: “Is there any response from the United States Government that’s sufficient to change the Chinese behavior?... Do you think there’s any reason the Chinese should be worried about U.S. response at the present?” Lt. Gen. Nakasone responded: “Again, I think that our adversaries have not seen our response in sufficient detail to change their behavior.” In line with this notion, it is unlikely that the publication of the strategies alone will be sufficiently threatening to lead to this optimal outcome.

Less Optimal Outcomes

One path towards escalation involves adversaries becoming more aggressive and conducting attacks that are highly disruptive to society—in other words, adversary activity leads to a less stable cyberspace. This could be the result of either an adversary’s increased willingness to conduct attacks using existing capacities or increased capacities of the adversary. Indeed, with respect to the latter, the U.S. vision—and associated changed course of action—may encourage other actors to grow their budgets to conduct offensive cyber operations. The proliferation literature on weapons of mass destruction has extensively covered the role of special interests in stimulating demand for weapon development. This makes it a strong possibility that the new U.S. vision can be used by those groups within a given country favoring a growing cyber command to justify and lobby for increased military spending.

A second possibility is that increased U.S. offensive cyber activity that operates below the threshold of armed attack activity reduces the value of cyber norms of behavior that support a more stable cyberspace.  Even today, some observers believe that the high level of offensive activity in cyberspace today demonstrates quite forcefully that nations find value in conducting such activity, and that such activity points to the difficulty of establishing a more peaceful cyber norms regime. These observers argue that there is no reason to expect that increasing the U.S. contribution to such activity worldwide will make it easier to establish such a regime. Finally, a third possibility is that increased U.S. offensive cyber activity will complicate diplomatic relations with allies and other nations whose cyber infrastructures are used in support of such activity.

Increased aggressiveness by adversaries could also result from growing incentives to conduct offensive cyber operations of a highly disruptive nature. In this case, heightened aggressiveness might be a symptom of the U.S. strategy actually being effective in making the U.S. more powerful. Consider, for example, the current war against the  Islamic State: losing territory and grip in the Middle East, the terrorist organization is said to be keen to recruit followers in Europe and other places in the world to conduct attacks outside of Iraq and Syria. These attempted mass killings are a way  to show that the group still needs to be feared and potentially to help recruiting—but they do not change the balance of power in the region. Actors in cyberspace might become more noisy and aggressive purely to increase friction, gain attention and so on —and perhaps also to influence international public opinion in ways that drive the United States toward changing its strategy.

Finally, worst-case outcomes—that is, a United States that is less powerful in cyberspace along with a less stable cyberspace—could stem from a multitude of sources. One possibility is that the United States could overplay its hand in terms of cyber capabilities. The USCYBERCOM is operating in a space in which it has to seize the initiative against a large and ever-growing number of actors. The dangers of fighting on multiple fronts—even for the most capable actors—are well known from conventional warfare. As the number of potential cyber “fronts” is much higher compared to conventional warfare, the risks of overextension have become much higher as well. The Defense Department vision’s explicit focus on Russia and China, following the USCYBERCOM vision’s silence on the issue of priorities, makes us less concerned about this scenario —though it is still a possibility.

Final Word

After initial, prompt analysis from the scholarly community of the strategies, the country now needs systematic research on how persistent engagement and defense forward may play out. We believe that outcome-based analysis is one desired form of research which could be expanded. (One important limitation of our analysis is that we do not pay sufficient detail to risks of the U.S. not changing its course of action.)

Other research in this field is would be helpful as well—consider case study analyses. Russia conducts very different cyber campaigns to affect U.S. sources of power than does China, and defense forward will thus look very different in both cases. But how the U.S. should defend forward  for each specific case, in order to optimize power gains and reduce escalation, has not yet been addressed. This work is needed.

Also, the question is not just how adversaries will respond to the change in U.S. strategy. It is equally important to analyze the behavior of allies. With the implementation of this strategy, will allies follow? Or will they stick to the general deterrence-type strategies?

The bottom line?  More research is needed—let’s get to it.

 

All News button
1

Introduction to the special issue on strategic dimensions of offensive cyber operations

Paragraphs

Nations around the world recognize cybersecurity as a critical issue for public policy. They are concerned that their adversaries could conduct cyberattacks against their interests—damaging their military forces, their economies, and their political processes. Thus, their cybersecurity efforts have been devoted largely to protecting important information technology systems and networks against such attacks. Recognizing this point, the Oxford Dictionaries added in 2013 a new word to its lexicon—it defined cybersecurity as “the state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.” Read more.

All Publications button
1
Publication Type
Journal Articles
Publication Date
Journal Publisher
Oxford Academic
Authors
Amy Zegart
Herbert Lin
Number
1
External URL

Interview: #ScholarSunday with Max Smeets

Authors
News Type
Q&As
Date
Paragraphs

Max Smeets is a cybersecurity fellow at Stanford University’s Center for International Security and Cooperation (CISAC), a Research Associate at the Centre for Technology & Global Affairs, University of Oxford, and a non-resident cybersecurity policy fellow at New America. In 2018, he was awarded the Journal of Strategic Studies’ prestigious Amos Perlmutter Prize for the most outstanding publication by a junior faculty member.

 

This interview originally appeared on Global Policy: Next Generation-- a new annual issue from the journal Global Policy. 

 

 

First, can you briefly describe your work and your interest in the field of cybersecurity?

I am currently finishing up my book manuscript on the dynamics of cyber proliferation. For at least a decade, policymakers and analysts have made explicit statements about the spread of what some call ‘cyberweapons’. Some senior officials argue that well over 30 nation-states are capable of launching cyber attacks; others are less conservative in their estimates. But, like much of the early nuclear thinking, no explicit basis for these estimates and forecasts is provided. Indeed, variations of the ‘domino effect’ logic -- when one goes cyber, all go cyber -- seem to implicitly dominate thinking. 

There is a lack of attentiveness to the theoretical assumptions behind why governments are setting up these military units to conduct offensive cyber operations, and there is a need for more social science scholarship on this topic. The main argument of my book is that the world is not at the brink of ‘mass cyber proliferation’.

 

How much do existing theories of international security contribute to understandings of the dynamics of cyber proliferation? Are other proliferation theories still useful for understanding this new space? 

They contribute a lot. Scott Sagan’s classic study identifies three ‘models’ (international security, domestic politics, and identity politics/symbolism), in the informal sense of the term, to explain states’ willingness to go for the nuclear option. I also use these ‘models’ to better understand the motivations of states to go cyber. But we have to be very careful here. The fundamental dynamics of cyber proliferation are different in a number of ways. For example, non-state actors play a much bigger role in enabling states to develop these capabilities. The Russian government, perhaps most prominently, is known to rely on cyber criminals and other patriotic hackers to conduct cyber operations. For a good overview, see this piece in Meduza.

 

You have also published on other topics, including your prize-winning article in the Journal of Strategic Studies. The article argues that the “transitory” nature of cyberweapons is an underappreciated dimension of cybersecurity. What do you mean by this?

Formally, the transitory nature of cyberweapons (a term which I actually do not use in my forthcoming publications) refers to ‘the temporary ability to access a computer system or network to cause harm or damage to living and material entities’.

Less formally, we can draw an analogy with food and cooking. Food is perishable. And we have a pretty good sense of ‘best-before dates’ of different types of food. The perishability of food likely affects our decision-making: when you have a delicious piece of salmon in the fridge which goes off tomorrow, you’re more likely to eat it today. 

For cyber, when a new ‘exploit’ is developed for a certain vulnerability, we do not have a good sense of the practices which affect the exploit’s ‘best-before date’. Equally, there is little research which explains how these time dynamics affect the decision-making of offensive actors, and so my article in JSS sought to provide some insights.

 

In what ways might appreciating the transitory nature of cyber capabilities change policymakers’ approach to cyber policy?

Offensive cyber programs potentially require a different approach to budgeting, at least when compared with conventional weapon programs. For conventional weapon programs, (government) institutions can come up with a relatively good cost estimate as to what is required to maintain a certain capability; a typical budget proposal would say ‘in X years’ time, the following capability needs to be replaced/upgraded. Hence, we project to spend …’. Conventional weapons’ ageing is generally modeled as a gradual (log-linear) deterioration. 

This approach, however, does not hold up for cyber. Instead, governments only have the ability to use a certain ‘exploit’ or weapon for a certain period of time, and its usability rapidly declines when it is discovered. What this means is that more flexible budgets (and hiring procedures) are recommended to cope with potentially prompt fluctuations in overall capability.

 

Which books have proved influential for your work? 

I have been impressed by Ben Buchanan’s book The Cybersecurity Dilemma published last year. As the title suggests, the book argues that the security dilemma also holds great relevance in cybersecurity. More specifically, Buchanan’s argument is that states are incentivized to launch intrusions into others’ networks to enhance their own security, but in the process risk escalating tensions.

There are not many books in the field which combine IR theory with ‘cyber’, but this book is one of them and does it well. Also, it is pretty difficult to write a book on cyber conflict which stands the test of time, as the dynamics are changing so quickly and our understanding too. But I believe that Buchanan’s book - describing a fundamental dynamic of this ‘domain’ - will still be on course syllabi 10+ years from now.

 

What other disciplines should people in your subfield learn more about in order to better understand cybersecurity? Or what other disciplines do you find it valuable to draw on in your research? 

Some have argued that cyber studies can be split up into different wings, in which political scientists, computer scientists, legal scholars, etc. would each contribute their own share to understanding different aspects of the cyber issue. I, however, am a big believer in interdisciplinary research and think trying to split up the field would quickly lead to a similar situation as the attempt of the blind men to discover the nature of the elephant: the one who touches its leg calls it a tree, another who touches its tail calls it a rope, and so on.

I am currently reading a lot of organizational management literature. Scholars who set out to explain the conduct of cyber operations normally focus on argument related to the ‘nature’ or ‘meaning’ of cyberspace. Yet, we cannot fully understand the use of cyber capabilities without studying the organisational structure in which its use of these capabilities is embedded. For example, in previous work I have argued that organizational integration between intelligence and military activities can both enable and constrain the conduct of cyber operations.

 


What piece of advice have you found most helpful as an early career researcher?  

There is this great twitter account called “Lego Grad Student”. One of the tweets is a picture of 'Lego Grad Student' in a bathroom, and says: “Washing up for bed after accomplishing nothing that day, the grad student instinctively refuses to look at himself in the mirror.” 

What I believe should be avoided during the PhD is a perfect correlation between ‘happiness’ and ‘PhD progress’: e.g. when research goes well I’m happy; when research goes badly I’m not happy (and don’t want look at myself in the mirror). That’s dangerous - although, of course, some correlation is inevitable and cannot be avoided.

It is likely there will be (sometimes long) stretches of time that you are not happy with your research. It is hard to break the negative cycle if there is ‘perfect’ correlation. I think a key strategy to managing this issue is setting goals that have nothing to do with your research, for instance joining a sports team or becoming a Trivial Pursuit expert. The key is finding other opportunities to generate a sense of accomplishment that can tide you over during challenging periods in your research. 

 

What advice would you give to students just beginning their doctoral research?  

We all talk about finding the supervisor who is the perfect research fit. Supervisors are important. But I would say peers are more important. Who is sitting next to in your office/open desk space changes your day, week, and PhD-life completely. Having people with whom you can share your writing and your successes or failures is also critical.

Emma Lecavalier is the Deputy Editor of Global Policy: Next Generation.

 

Hero Image
Max Smeets Rod Searcey
All News button
1

Offensive Cyber Capabilities: To What Ends?

Paragraphs

Abstract: There is a growing interest in the use of offensive cyber capabilities (OCC) among states. Despite the growing interest in these capabilities, little is still known about the nature of OCC as a tool of the state. This research therefore aims to understand if (and how) offensive cyber capabilities have the potential to change the role of military power. Drawing on a wide range of cases, we argue that these capabilities can alter the manner in which states use their military power strategically in at least four ways. OCC are not particularly effective in deterring adversary military action, except when threatened to be used by states with a credible reputation. However, they do have value in compellence. Unlike conventional capabilities, the effects of offensive cyber operations do not necessarily have to be exposed publicly, which means the compelled party can back down post-action without losing face thus deescalating conflict. The potential to control the reversibility of effect of an OCC by the attacker may also encourage compliance. OCC also contribute to the use of force for defensive purposes, as it could provide both a preemptive as well as preventive strike option. Finally, its symbolic value as a ‘prestige weapon’ to enhance ‘swaggering’ remains unclear, due to its largely non-material ontology and transitory nature.

All Publications button
1
Publication Type
Annual Reports
Publication Date
Journal Publisher
NATO CCD COE Publications: Tallinn
Authors
Max Smeets
External URL
Subscribe to Cybersecurity